Temporary prevent Users to connect via the Network to a Windows 2000 system

by Johannes Helmig [Published on 4 Feb. 2001 / Last Updated on 4 Feb. 2001]

As an Administrator of a Windows 2000-system, you need sometimes to make system maintenance
or install some new software or hardware components, which requires no users to be connected
to the server during this activity ( because you will have to restart the system a few times and
you do not want to take the risk of users loosing data ; although the required of system restarts
after a software installation has been reduced substantially compared to an NT4 system
)

Although you might do it sometimes as a night-shift or during the weekend (which you like to
avoid as much as possible
), even at these times users are connecting, and sometimes it can
not wait .
And typically users tend to either forget or ignore messages send around like :
"Maintenance on the Server at xx:xx : please log off and do not reconnect until yy:yy"
they keep working and accessing data on the server !


The Windows 2000 system has some tools available to help you in such situations.
(a Windows NT4 system has the same tools, but defined in different locations )

Go to the "Control-Panel" and select "Administrative Tools", then "Computer Management":

In the tree (left plane), select in "System Tools" : "Shared Folders" / "Sessions"
to display the list of users connected via the network.
Via a Right-Click, you can "Close the Session" to disconnect the user from the system.

However : if the user is accessing after such a forced log-out any section on the server
(via Network-Neighborhood or via a mapped network drive), his system will re-establish
a network connection and make a new Login : the user is again connected !

To prevent such new logins, we need to use a more powerful tool:

Select in "Administrative Tools" the "Local Security Policy":

in the tree (left plane),select "Local Policies",
"User Right Assignment":

I had a problem using the same method as
in NT4
: to take away the permissions for the
user-group "Everyone" for
"Access this computer from the network",
( I also removed the right for Power-Users),
but I was still able to connect.

However, Windows 2000 has (compared to NT4) a new policy:
"Deny access to this computer from the network" :

Usually, nobody is defined.




Click on the button "Add".


in the "Select Users or Groups", click on
"Everyone", then on the button "Add" to
have "Everyone" listed in the lower box,
then on "OK" to close this window.


You have now defined, that the
members of the User-Group "Everyone"
(all Windows 2000 users defined on the
system are by default member of this group)

are NOT allowed to connect via the
network to the system :


Select "OK" to exit and to make this
new policy active.


If a user tries via "Network Neighborhood" and "My Computer" with a mapped Network drive
to use now any resource on the server , his regular user-name and password are not anymore
sufficient for a connection :

The request for the password for
the "IPC$" resource
is the typical
message, in case a user does not
have sufficient rights to connect
to the Windows2000-system.

Once you are finished with your job on the server and users should be allowed to connect again
to the server:

Go back to the "Control-Panel" and select "Administrative Tools", then "Local Security Policy":

take the checkmark away
("un-check" ) from
"Everyone", then "OK" to exit and
to have this change become active.

The users can now connect again
via the network to this system.

See Also

Advertisement

Featured Links